ExPFIAFAU

FIA Paper FAU Foundations in Audit

theexpgroup.com

Notes

ExPress Notes FIA Foundations in Audit

Page | 2 2014 The ExP Group. Individuals may reproduce this material if it is for their own private study use only. Reproduction by any means for any other purpose is prohibited. These course materials are for educational purposes only and so are necessarily simplified and summarised. Always obtain expert advice on any specific issue. Refer to our full terms and conditions of use. No liability for damage arising from use of these notes will be accepted by the ExP Group.

Contents

About ExPress Notes 3

1. Business environment and audit framework 7

2. Audit planning and risk 14

3. Internal control 20

4. Audit evidence and procedures 25

5. Audit completion 49



START About ExPress Notes

We are very pleased that you have downloaded a copy of our ExPress notes for this paper. We expect that you are keen to get on with the job in hand, so we will keep the introduction brief.

First, we would like to draw your attention to the terms and conditions of usage. Its a condition of printing these notes that you agree to the terms and conditions of usage. These are available to view at www.theexpgroup.com. Essentially, we want to help people get through their exams. If you are a student for the ACCA exams and you are using these notes for yourself only, you will have no problems complying with our fair use policy.

You will however need to get our written permission in advance if you want to use these notes as part of a training programme that you are delivering.

WARNING! These notes are not designed to cover everything in the syllabus!

They are designed to help you assimilate and understand the most important areas for the exam as quickly as possible. If you study from these notes only, you will not have covered everything that is in the ACCA syllabus and study guide for this paper.

Components of an effective study system

On ExP classroom courses, we provide people with the following learning materials:

x The ExPress notes for that paper x The ExP recommended course notes / essential text or the ExPedite classroom

course notes where we have published our own course notes for that paper x The ExP recommended exam kit for that paper. x In addition, we will recommend a study text / complete text from one of the ACCA

official publishers, but we do not necessarily give this as part of a classroom course, as we think that it can sometimes slow people down and reduce the time that they are able to spend practising past questions.

ExP classroom course students will also have access to various online support materials, including:

x The unique ExP & Me e-portal, which amongst other things allows view again of the classroom course that was actually attended.

x ExPand, our online learning tool and questions and answers database



Everybody in the World has free access to ACCAs own database of past exam questions, answers, syllabus, study guide and examiners commentaries on past sittings. This can be an invaluable resource. You can find links to the most useful pages of the ACCA database that are relevant to your study on ExPand at www.theexpgroup.com.

How to get the most from these ExPress notes For people on a classroom course, this is how we recommend that you use the suite of learning materials that we provide. This depends where you are in terms of your exam preparation for each paper.

Your stage in study for each paper

These ExPress notes

ExP recommended course notes, or ExPedite notes

ExP recommended exam kit

ACCA online past exams

Prior to study, e.g. deciding which optional papers to take

Skim through the ExPress notes to get a feel for whats in the syllabus, the size of the paper and how much it appeals to you.

Dont use yet Dont use yet Have a quick look at the two most recent real ACCA exam papers to get a feel for examiners style.

At the start of the learning phase

Work through each chapter of the ExPress notes in detail before you then work through your course notes.

Dont try to feel that you have to understand everything just get an idea for what you are about to study. Dont make any annotations on the ExPress notes at this stage.

Work through in detail. Review each chapter after class at least once. Make sure that you understand each area reasonably well, but also make sure that you can recall key definitions, concepts, approaches to exam questions, mnemonics, etc.

Nobody passes an exam by what they have studied we pass exams by being efficient in being able to prove what we know. In other words, you need to have effectively input the knowledge and be effective in the output of what you know. Exam practice is key to this.

Try to do at least one past exam question on the learning phase for each major chapter.

Dont use at this stage.



Your stage in study for each paper

These ExPress notes

ExP recommended course notes, or ExPedite notes

ExP recommended exam kit

ACCA online past exams

Practice phase Work through the ExPress notes again, this time annotating to explain bits that you think are easy and be brave enough to cross out the bits that you are confident youll remember without reviewing them.

Avoid reading through your notes again. Try to focus on doing past exam questions first and then go back to your course notes/ ExPress notes if theres something in an answer that you dont understand.

This is your most important tool at this stage. You should aim to have worked through and understood at least two or three questions on each major area of the syllabus. You pass real exams by passing mock exams. Dont be tempted to fall into passive revision at this stage (e.g. reading notes or listening to CDs). Passive revision tends to be a waste of time.

Download the two most recent real exam questions and answers. Read through the technical articles written by the examiner. Read through the two most recent examiners reports in detail. Read through some other older ones. Try to see if there are any recurring criticism he/ she makes. You must avoid these!

The night before the real exam

Read through the ExPress notes in full. Highlight the bits that you think are important but you think you are most likely to forget.

Unless there are specific bits that you feel you must revise, avoid looking at your course notes. Give up on any areas that you still dont understand. Its too late now.

Dont touch it! Do a final review of the two most recent examiners reports for the paper you will be taking tomorrow.

At the door of the exam room before you go in.

Read quickly through the full set of ExPress notes, focusing on areas youve highlighted, key workings, approaches to exam questions, etc.

Avoid looking at them in detail, especially if the notes are very big. It will scare you.

Leave at home. Leave at home.



Our ExPress notes fit into our portfolio of materials as follows:

Notes

Notes

Notes

Provide a base understanding of the most important areas of the syllabus only.

Provide a comprehensive coverage of the syllabus and accompany our face to face professional exam courses

Provide detailed coverage of particular technical areas and are used on our Professional Development and Executive Programmes.

To maximise your chances of success in the exam we recommend you visit www.theexpgroup.com where you will be able to access additional free resources to help you in your studies.

START About The ExP Group

Born with a desire to be the leading supplier of business training services, the ExP Group delivers courses through either one of its permanent centres or onsite at a variety of locations around the world. Our clients range from multinational household corporate names, through local companies to individuals furthering themselves through studying for one of the various professional exams or professional development courses.

As well as courses for ACCA and other professional qualifications, our portfolio of expertise covers all areas of financial training ranging from introductory financial awareness courses for non financial staff to high level corporate finance and banking courses for senior executives.

Our expert team has worked with many different audiences around the world ranging from graduate recruits through to senior board level positions.

Full details about us can be found at www.theexpgroup.com and for any specific enquiries please contact us at [email protected].



Chapter 1

Business environment and audit framework

START The Big Picture

For the financial markets to be efficient they need trust. The investors must believe that the financial reports of companies are true and free from errors. This assurance is provided by external accountants that apply specialist procedures to the information presented by companies in their financial statements. These accountants are called auditors and are licensed by certain organizations of public trust or by governments directly.

In order for their assurance to be meaningful there are some strict requirements on who they should be and how they should behave. These relate primarily to their independence there can be no doubt that they work in the best interest of shareholders rather than the companies being audited.

In the past, when such doubts arouse this led to the collapse of both the company and its auditor (eg. Enron and Arthur Andersen) as investors stopped believing both the companys financial reports and their auditors.



KEY KNOWLEDGE The purpose and scope of an audit

The need for the audit of the financial statements comes from the demand for trust in financial markets. Shareholders of companies hire managers to manage their businesses. Periodically those owners want to assess the effectiveness of the management actions. Thus they read the financial statements.

Yet it is the managers that are responsible for the preparation of the financial statements.

In order to remove the potential conflict of interest, the shareholders appoint auditors professionals who will assert that the content of the financial statements shows a true and fair view of the companys financial position and performance in accordance with an accepted reporting framework (eg. International Financial Reporting Standards).

The scope of auditors work is to provide reasonable (rather than absolute) assurance that the financial statements are free of material misstatement. They provide reasonable assurance because their work is performed on a test basis given the limited time they have to perform their procedures auditors cannot verify every single transaction and event (which would effectively mean reperform the accountants work over the period) they will first analyse the internal control environment to check whether material misstatements could be made by lack of controls and then they will verify samples of transactions and balances to make sure that the ultimate financial statements are not materially misstated.

The company

Owners

The managers

Financial statements

Auditors own

is managed by

who prepare

for

hire

to make sure that the financial statements are free from material misstatement.



KEY KNOWLEDGE Requirements for becoming an auditor

Only a member of a Recognised Supervisory Body (eg. ACCA) may act as an auditor if that person is allowed to do it by the rules of that body. In some jurisdictions auditors are authorized directly by the state.

Since his role is to provide assurance on the financial statements of the company the key requirement for becoming an auditor in a company is that they must be independent of that company.

Independence is defined as freedom from situations and relationships where objectivity would be perceived to be impaired by a reasonable and informed third party. An auditor must be and must be seen to be independent. This means that despite his own feeling about his independence and objectivity, it must be absolutely clear to any informed external third party that there is no threat to the auditors objectivity.

There are 5 threats to independence that the auditor must be aware of:

1. Self interest eg. when the auditor is also an investor in the company (or a lender) this poses a threat that his views on the financial statements will be impacted by his investment decisions.

2. Self review eg. when financial statements contain information prepared by the auditor (through provision of some other services).

3. Advocacy eg. when the auditor may be perceived as willing to unduly support companys views without professional skepticism.

4. Familiarity eg. when the auditor becomes too familiar with the company staff. 5. Intimidation eg. when the auditor may be deterred from acting objectively by

threats, actual or perceived.

In order to reduce the threats above the audit profession requires auditors to introduce safeguards against those threats. Those safeguards will be implemented at the level of the profession (eg. through education and experience requirements), at the level of an audit firm (eg. through work practices, recruitment and oversight procedures) and at the level of an individual (eg. being in contact with professional bodies, complying with continuous professional development requirements of the professional body).

Professional ethics



Auditors are required to adhere to the Code of Ethics issued by their professional body (eg. ACCA for ACCA members with practicing certificates).

A Code of Ethics was issued by IFAC (International Federation of Accountants) which contains key requirements that auditors should meet. Based on this code the professional bodies built their own Code of Ethics which may be more demanding than the one of IFAC. The professional bodies have the right to discipline their for non-compliance with their Code of Ethics. This discipline eventually ends with being removed from the register of members of the body which effectively means being removed from the profession.

The fundamental principles require the auditors to maintain 5 qualities in their behavior:

1. Integrity auditors should be straightforward and honest in all professional and business relationships.

2. Objectivity auditors should not allow bias, conflicts of interest or undue influence of others to override professional or business judgments.

3. Professional competence and due care auditors have a continuing duty to maintain professional knowledge and skill at a level required to ensure that a client or employer receives competent professional service based on current developments in practice, legislation and techniques.

4. Confidentiality auditors should respect the confidentiality of information acquired as a result of professional and business relationships and should not disclose any such information to third parties without proper and specific authority or unless there is a legal or professional right or duty to disclose.

5. Professional behaviour auditors should comply with relevant laws and regulations and should avoid any action that discredits the profession.

KEY KNOWLEDGE Legal duties of auditors

In accordance with ISA 200 the auditor's duties are to:

obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error;

express an opinion on whether the financial statements are prepared, in all material respects, in accordance with an applicable reporting framework; and

report on the financial statements, and communicate as required by ISA's, in accordance with the auditor's findings.



KEY KNOWLEDGE Auditors rights

During his work the auditor has the right to:

Access to the companys books and records. Receive information and explanations necessary for the audit. Ro receive notice of and attend any general meeting of members of the

company. Be heard at such meetings on matters of concern to the auditor.

KEY KNOWLEDGE Liabilities of auditors

Auditors are liable for professional negligence which an auditor may incur because of an act or default by him/her or by one of his/her employees or associates which results in financial loss to a client or third party to whom a duty of care is owed.

In recent years there have been a number of cases where substantial sums have been claimed as damages for negligence against accountants and auditors. In a number of cases it appears that the claims may have arisen as a result of some misunderstanding as to the degree of responsibility which the accountant was expected to assume in giving advice or expressing an opinion. It is therefore important to distinguish between:

(a) disputes arising from misunderstandings regarding the duties assumed (the expectation gap); and

(b) negligence in carrying out agreed terms.

In order to limit the possibility of any liability to the clients, the auditors should:

(a) clearly agree the terms of each engagement in an engagement letter which details the responsibilities of the auditor and separates them from the responsibilities of the company; and

(b) strictly adhere to the standards of auditing on which the engagement is based (eg. International Standards on Auditing ISA) in their work practices and evidence collection.



Other methods of reducing the impact of potential litigation and therefore restricting the liability include:

(a) obtaining a professional indemnity insurance (mandatory in certain jurisdictions);

(b) acting through a limited liability company (not permitted in certain jurisdictions).

KEY KNOWLEDGE Audit regulation

Auditors must follow a number of sets of regulatory guidance:

1. The Code of Ethics

2. The Auditing Standards (for this examination the International Standards on Auditing are the standards to be followed)

3. Any national legislation relating to the profession of auditors or in general the company law.

KEY KNOWLEDGE The impact of fraud

ISA 240 the Auditors Responsibilities Relating to Fraud in an Audit of Financial Statements recognises that misstatement in the financial statements can arise from either fraud or error. The difference is whether the misstatement was intentional or unintentional.

Fraud can be of two types:

(a) Misappropriation of assets the typical theft of companys assets; or

(b) Fraudulent financial reporting leading to unjustified amounts (eg. bonuses) being paid out which effectively is the same as (a).

It is not the auditors responsibility to detect fraud. That is because fraud is a criminal activity that is usually well concealed. Auditors procedures should however allow to detect material misstatements in the financial statements, including those resulting from fraud.

This means that the auditor must consider whether there is a possibility that the financial statements are misstatement as a result of fraud and should obtain sufficient and appropriate evidence on the likelihood of such a misstatement.



KEY KNOWLEDGE External audit and internal audit

The IIA (Institute of Internal Auditors) defines internal auditing as follows>

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisations operations.

It helps an organisation accomplish its objectives by bringing a systematic disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

Fundamental differences between internal and external auditors

Both internal auditors and external auditors will have a major interest in the effectiveness of a companys internal control systems. Both are assurance providers and as such will make use of similar techniques and procedures.

Due to these similarities the external auditors may find it useful sometimes to use the work or the products of the work of internal auditors. However, it is important for the external auditor to always be aware of certain fundamental differences as indicated below:

INTERNAL AUDITOR EXTERNAL AUDITOR SCOPE MANAGEMENT ISAs + REGULATIONS APPROACH MANAGEMENT ISAs + REGULATIONS RESPONSIBILITY MANAGEMENT SHAREHOLDERS

The differences mentioned above lead to different requirements that one would have towards an internal auditor. Eg. the internal auditor cannot possibly by independent of the company (he/she is an employee of the company).

Thus a lot of care should be taken by auditors when attempting to use the internal audit in their work.



Chapter 2

Audit planning and risk


The objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels, through understanding the entity and its environment, including the entitys internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement.

Planning an audit involves establishing the overall audit strategy for the engagement and developing an audit plan. Adequate planning benefits the audit of financial statements in several ways, including the following:

Helping the auditor to devote appropriate attention to important areas of the audit. Helping the auditor identify and resolve potential problems on a timely basis. Helping the auditor properly organize and manage the audit engagement so that it

is performed in an effective and efficient manner.



Assisting in the selection of engagement team members with appropriate levels of capabilities and competence to respond to anticipated risks, and the proper assignment of work to them.

Facilitating the direction and supervision of engagement team members and the review of their work.

Assisting, where applicable, in coordination of work done by auditors of components and experts.

KEY KNOWLEDGE Audit strategy, audit plan and audit programme (ISA 300)

An overall audit strategy sets the scope, timing and direction of the audit, and guides the development of the audit plan.

The process of establishing the overall audit strategy should assist the auditor to determine procedures, such matters as:

The resources to deploy for specific audit areas, such as the use of appropriately experienced team members for high risk areas or the involvement of experts on complex matters;

The amount of resources to allocate to specific audit areas, such as the number of team members assigned to observe the inventory count at material locations, the extent of review of other auditors work in the case of group audits, or the audit budget in hours to allocate to high risk areas;

When these resources are to be deployed, such as whether at an interim audit stage or at key cutoff dates; and

How such resources are managed, directed and supervised, such as when team briefing and debriefing meetings are expected to be held, how engagement partner and manager reviews are expected to take place (for example, on-site or off-site), and whether to complete engagement quality control reviews.

Based on this strategy the auditor should develop an audit plan that shall include a description of:

(a) The nature, timing and extent of planned risk assessment procedures

(b) The nature, timing and extent of planned further audit procedures

The audit plan is more detailed than the overall audit strategy in that it includes the nature, timing and extent of audit procedures to be performed by engagement team members.



Planning for these audit procedures takes place over the course of the audit as the audit plan for the engagement develops.

For example, planning of the auditors risk assessment procedures occurs early in the audit process. However, planning the nature, timing and extent of specific further audit procedures depends on the outcome of those risk assessment procedures.

Audit programme is a list of specific procedures to be performed and documentation to be collected for each specific class of transactions of balances.

KEY KNOWLEDGE Risk assessment procedures (ISA 315)

Before collecting audit evidence and performing audit procedures the auditor should perform risk assessment procedures. Those procedures aim at determining the risk of material misstatement in the financial statements. These procedures will include:

(a) Inquiries of management, and of others within the entity who in the auditors judgment may have information that is likely to assist in identifying risks of material misstatement due to fraud or error.

(b) Analytical procedures (analysis of financial and not financial information in order to detect trends and expectations and investigate potential departures from those trends or expectations).

(c) Observation and inspection.

Based on this risk assessment the auditor will conclude on the likelihood of material misstatement at the financial statements level and at the assertion level (eg. whether there are issues with valuation, accuracy, completeness, rights and obligations, occurrence etc.) and designs his/her procedures to make sure that such potential material misstatements are detected.

KEY KNOWLEDGE Understanding the entity and its environment (ISA 315)

The auditor must understand the key features of an entity including:

(a) industry or regulatory factors and applicable reporting framework (eg. IFRS),



(b) the nature of its operations, ownership and structure, (c) entitys accounting policies, (d) entitys objectives and strategies, (e) its financial performance in the past, (f) the internal control environment relating to the financial reporting and control

activities relevant to audit, (g) the entitys business risk management process, (h) entitys IT infrastructure and systems

KEY KNOWLEDGE Audit planning documentation (ISA 300)

The documentation of the overall audit strategy is a record of the key decisions considered necessary to properly plan the audit and to communicate significant matters to the engagement team. For example, the auditor may summarize the overall audit strategy in the form of a memorandum that contains key decisions regarding the overall scope, timing and conduct of the audit.

The documentation of the audit plan is a record of the planned nature, timing and extent of risk assessment procedures and further audit procedures at the assertion level in response to the assessed risks. It also serves as a record of the proper planning of the audit procedures that can be reviewed and approved prior to their performance. The auditor may use standard audit programs or audit completion checklists, tailored as needed to reflect the particular engagement circumstances.

KEY KNOWLEDGE Audit materiality (ISA 320)

Misstatements, including omissions, are considered to be material if they, individually or in the aggregate, could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements.

The concept of materiality is applied by the auditor both in planning and performing the audit, and in evaluating the effect of identified misstatements on the audit and of



uncorrected misstatements, if any, on the financial statements and in forming the opinion in the auditors report.

Determining materiality involves the exercise of professional judgment. A percentage is often applied to a chosen benchmark as a starting point in determining materiality for the financial statements as a whole.

Examples of benchmarks that may be appropriate, depending on the circumstances of the entity, include categories of reported income such as profit before tax (eg. errors in excess of 5-10% of profit are considered material), total revenue (eg. errors in excess of 0,5-1% of revenue are considered material), total assets (eg. errors in excess of 1-2% of total assets are considered material).

However planning the audit solely to detect individually material misstatements overlooks the fact that the aggregate of individually immaterial misstatements may cause the financial statements to be materially misstated, and leaves no margin for possible undetected misstatements. Performance materiality (which can be one or more amounts) is set to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements in the financial statements exceeds materiality for the financial statements as a whole.

In other words performance materiality is a number which is lower than overall materiality and if the procedures are design to detect all errors in excess of performance materiality level then the risk of a material misstatement resulting from aggregation of undetected errors is reduced to an acceptable low level (that level is determined by the auditor).

KEY KNOWLEDGE Audit risk

AUDIT RISK is very simply the overall risk that the auditor gives an inappropriate audit opinion in his report.

Eg. if an auditor gave an unqualified opinion, when in fact the company was not a going concern, then shareholders and others placing reliance on this report in making economic decisions relating to their dealings with the company might suffer financial loss.

Audit risk is seen as being made up of 3 elements:

AUDIT RISK = INHERENT RISK x CONTROL RISK x DETECTION RISK



The auditor must assess inherent risk and control risk but cannot influence them, they are what they are. The only element which the auditor can influence directly is detection risk, which he must do in order to have overall an acceptable level of audit risk.

Inherent risk is the risk that there may be material errors or misstatements in the clients financial statements, before giving consideration to any internal controls that may have been established.

Eg. in a high tech company there is high risk of obsolescent inventory which if not recognised could result in a material overstatement of both profits and asset values.

Control risk is the risk that the clients internal control systems will fail to prevent or detect material errors or misstatements.

Eg. if there is not effective segregation of duties then there is a much higher risk of employee fraud, without the need for collusion, going undetected.

Detection risk is the risk that the auditors tests and enquiries will fail to detect material errors or misstatements in the transactions and balances reflected in the clients financial statements.

Eg the detection risk is always greater with a new client because the auditors have had less time to build up their knowledge and understanding of the clients business and the risks to which it is exposed.

Detection risk is seen to include the elements of:

1. Sampling risk eg. if the auditor selects too small a sample size, it may not be representative of the population from which it is drawn, resulting in the auditor reaching an invalid conclusion about that population.

2. Non-sampling risk is any other risk that might result in the auditor arriving at the wrong audit conclusion eg. if client management were to deliberately provide the auditor with misleading information and explanations.



Chapter 3

Internal control


The internal control is a fundamental issue in auditing. The auditors assessment of the control environment will impact on the nature, timing and extent of his/her procedures. Logically the better controls exist in the organization over the accounting and financial reporting process the lower the risk that misstatements appear in financial statement undetected by the organization itself.

In the previous chapter the risk related to this was referred to as control risk.

The auditor therefore will always perform an assessment of control environment based on which he/she will determine how much reliance can be placed on entitys internal controls and thus how much procedure does the auditor need to do (how many procedures, how large sample sizes the lower level of reliance on controls the larger the sample to be tested by the auditor).



KEY KNOWLEDGE General principles of internal control

ISA 315 Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its Environment states that there are 5 components of internal control:

1. The control environment 2. The entitys risk assessment process 3. The information system 4. Control activities 5. Monitoring of controls

The IIA have provided the following useful definition:

An internal control is any action taken by management to enhance the likelihood that established objectives and goals will be achieved. Management plans, organises and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Thus, control is the result of proper planning, organising and directing by management.

The UK Turnbull report gives us a useful summary of the main purposes of an internal control system, by stating that internal control consists of the policies, processes, tasks, behaviour and other aspects of a company that taken together:

x Facilitate its effective and efficient operation by enabling it to respond to significant business, operational, financial, compliance and other risks to achieving the companys objectives. This includes safeguarding the assets from inappropriate use or from loss and fraud and ensuring that liabilities are identified and managed.

x Help to ensure the quality of internal and external reporting. x Help ensure compliance with applicable laws and regulation, and also with internal

policies with respect to conduct of business.

Control activities

Control activities may be explained by the type or nature of activity. These include (but are not limited to):

Segregation of duties - separating authorization, custody, and record keeping roles of fraud or error by one person.



Authorization of transactions - review of particular transactions by an appropriate person.

Retention of records - maintaining documentation to substantiate transactions. Supervision or monitoring of operations - observation or review of ongoing

operational activity. Physical safeguards - usage of cameras, locks, physical barriers, etc. to protect

property, such as merchandise inventory. Top-level reviews-analysis of actual results versus organizational goals or plans,

periodic and regular operational reviews, metrics, and other key performance indicators (KPIs).

IT Security - usage of passwords, access logs, etc. to ensure access restricted to authorized personnel.

Top level reviews-Management review of reports comparing actual performance versus plans, goals, and established objectives.

Controls over information processing-A variety of control activities are used in information processing. Examples include edit checks of data entered, accounting for transactions in numerical sequences, comparing file totals with control accounts, and controlling access to data, files and programs.

Recording and evaluating the controls

Auditor must record and evaluate those controls. His/her work will have two objectives:

(a) to verify whether a relevant control activity exists

Eg. to limit a possible fraud, an auditor would expect that the person making bank transfers is no the same as the person authorized to enter new counterparties into the system segregation of duties.

(b) to verify that the control activity is actually performed

Eg. continuing from previous example if the duties in this area are segregated but the two persons shared their system passwords so that they can cover for each other in case of absence the control (even though relevant) is not effective and cannot be relied on.

The auditor identifies key controls that he/she would expect to see in order to rely on companys internal control systems, documents their existence in the company and evaluates them through tests of controls.

It may be possible that the auditors assessment of controls in negative or that the expectation is that they are not existent or not functioning properly (even before testing). In such circumstances the auditor may not place reliance on control (or even not test them)



and perform fully substantive procedures ie. extensive audit procedures with large sample sizes to accommodate for the fact that control risk is high.

Techniques to record and evaluate controls in accounting systems

IT systems require some additional knowledge from the auditor. Specifically, internal control in a computer environment is normally considered under 2 main headings:

1. General Controls These relate to the environment within which computer systems are developed, operated and maintained. They will therefore be relevant to all applications. They are often sub-divided into administration controls and systems development controls. They may be either manual or programmed. These will include: use of passwords, segregation of duties between IT and operational staff, back-ups etc.

2. Application Controls These relate to those activities which have been

computerised and are concerned with the completeness and accuracy of the processing of authorised data and the maintenance of computer files. As with general controls, they may be either manual or programmed. These will include: data verification on input (eg. no debit without a corresponding credit), data validation (eg. check digits), access control logs etc.

There are techniques of auditing the systems the auditor must have an expectation of the controls he/she would see in the system and over the inputs and outputs from the system (have in mind that nowadays nearly all information in the financial statements is generated by the accounting system and thus the control over authorization and validation of inputs into this system becomes crucial).

Auditor performs test of controls, often obtaining date from the system and transferring them into spreadsheets to test their accuracy or completeness. Sometimes the auditor is granted access to the system to perform procedures directly on it.

KEY KNOWLEDGE Tests of controls (ISA 330)

Tests of controls are performed only on those controls that the auditor has determined are suitably designed to prevent, or detect and correct, a material misstatement

Typical methods of controls testing include:



x inquiry x inspection (verifying that documents or reports are physically authorized through a

signature) x reperformance x observation of control activities x walkthrough tests where a transaction is followed through the system x computer assisted auditing techniques (CAAT)

The nature of the particular control influences the type of procedure required to obtain audit evidence about whether the control was operating effectively. For example, if operating effectiveness is evidenced by documentation, the auditor may decide to inspect it to obtain audit evidence about operating effectiveness. For other controls, however, documentation may not be available or relevant.

In case of controls testing the concept of materiality is not applied. In fact this is a black-or-white situation the control either works or not it cannot work most of the time.

KEY KNOWLEDGE Communicating control deficiencies (ISA 265)

If the auditor detects deficiencies in internal controls (ie. missing internal controls or existing internal controls not operating effectively), the auditor will report those deficiencies to those charged with governance if those deficiencies are considered significant.

Such deficiencies will be communicated in writing in the form of a Management Letter. The letter will include a description of the deficiency and the effect that the deficiency might have on the financial reporting process. Additionally the auditor may suggest how the deficiency should be removed.



Chapter 4

Audit evidence and procedures


This part of the syllabus is what people usually think the auditor does. It is about collecting the evidence in order to support conclusions that will take a form of auditors report and opinion. The auditor takes a huge risk based on some limited procedures over a limited period of time he/she issues an opinion on the financial statements that are made up of thousands or millions of transactions imagine consolidated financial statements of a multinational group!

Thus the procedures must be very well designed to spot any potential misstatements and the evidence collected must be such that any other person would draw the same conclusions based on the information available from the company.



KEY KNOWLEDGE Financial statements assertions

An item in the financial statements may be misstated due to any of a number of events that might have resulted in an error. Thus the auditor, in his/her procedures should be able to verify that none of these events had a material impact on the item.

The auditor therefore should use assertions for classes of transactions, account balances, and presentation and disclosures in sufficient detail to form a basis for the assessment of risks of material misstatement and the design and performance of further audit procedures.

Take an example of inventory. It can be misstated due to:

x items being miscounted during the count (Accuracy);

x items actually received after year end being included in the year-end balance (Cut-off);

x items being incorrectly valued at cost while a net realisible value was appropriate (Valuation);

x damaged items could have been counted as good ones (Valuation);

x production cost may have been measured incorrectly (Valuation or Accuracy);

x items might have been missed out of the inventory (Existence).

The auditor uses assertions in assessing risks by considering potential misstatements that may occur, and thereby designing audit procedures that are responsive to the particular risks.

Assertions used by the auditor fall into the following categories:

(a) Assertions about classes of transactions and events for the period ended:

x Occurrence did the transactions actually occur and pertain to the entity? x Completeness have all transactions, assets, liabilities and equity balances

that related to the entity been recorded? x Accuracy - have amounts, data and other information been recorded and

disclosed appropriately? x Cut-off - have transactions and events been recorded in the correct

accounting period?



x Classification - have transactions and events been: recorded in the proper accounts?

(b) Assertions about account balances at the period end:

x Existence - do assets, liabilities and equity interests exist? x Rights and obligations - does the entity hold or control the rights to assets

and are liabilities the obligations of the entity? x Completeness x Valuation and allocation - are assets, liabilities and equity interests included in

the financial statements at appropriate values?

(c) Assertions about presentation and disclosure:

x Occurrence x Completeness x Classification and understandability x Accuracy and valuation

The assertions are not individually assessed but quite often at the same time.

Eg. To ensure completeness of electricity expense, the auditor ensures the 12 months of payments were booked. Since the client may record the bills paid on a cash basis, electricity expense of a month of previous basis period might be entered in the current year. Electricity expense of last month of current year might be recorded next year. If the monthly fluctuation is immaterial, the auditor always ignore the cut-off issue. In case where electricity is a material expense, the auditor considers preparing adjustments for year ended cut-off purpose so that the profit or loss would not be materially misstated.

KEY KNOWLEDGE Audit evidence (ISA 500)

The auditor is required to collect sufficient and appropriate evidence in order to justify the shape of his/her report and the conclusions formed in his/her audit opinion.

The auditor considers reliability of audit evidence collected. For instance, audit evidence is more reliable when it exists in documentary form rather than subsequent oral representation of the matters. Auditors consider reliability of information but involve little authentication of evidence.

Methods or techniques of audit evidence gathering are classified in 6 categories:



1. Inspection 2. Observation 3. Inquiry 4. Confirmation (audit) 5. Re-performance 6. Analytical procedures

For example, the auditor perform vouching to ensure such electricity expense occurred and whether correct amount was booked. The auditor compares electricity expense of current and last year to see whether there are fluctuations. If there are huge fluctuations, the auditor may examine electricity together with rental expense, water expense to find out reasons.

The evidence collected must be sufficient. What is sufficient is a matter of auditors professional judgment. In exercising the judgment the auditor takes into account the following facts:

x the risk of material misstatement; x the results of controls tests; x the size of a population being tested; x the size of the sample selected to test; and x the quality of the evidence obtained

In general the higher the risk the more evidence should be collected. Similarly the poorer the results of tests of controls the more evidence from substantive testing will be necessary etc.

Evidence is appropriate when it is: relevant and reliable. Relevance is the feature of tests that determines whether the test is the right one to address the financial statement assertion.

Eg. attendance at an inventory take is an excellent evidence of inventorys existence.

Reliability of evidence is a feature that depends on a number of factors. In general however:

Evidence more reliable Evidence less reliable

From independent external source From within the company Subject to effective control Not subject to effective control

Obtained directly by the auditor Obtained indirectly through the company

Written Oral Original Copy



The more reliable the evidence the less of it needs to be collected to support the decision taken for the audit opinion.

Substantive procedures

Substantive procedures (or substantive tests) are those activities performed by the auditor during the substantive testing stage of the audit that gather evidence as to the completeness, validity and/or accuracy of account balances and underlying classes of transactions.

Management implicitly assert that account balances and underlying classes of transaction do not contain any material misstatements: in other words, that they are materially complete, valid and accurate. Auditors gather evidence about these assertions by undertaking activities referred to as substantive procedures.

Eg. An auditor may: physically examine inventory on the balance sheet date as evidence that inventory shown in the accounting records actually exists (validity assertion); arrange for suppliers to confirm in writing the details of the amount owing at balance date as evidence that accounts payable is complete (completeness assertion); and make inquires of management about the collectability of customers' accounts as evidence that trade debtors is accurate as to its valuation.

There are two categories of substantive procedures - analytical procedures and tests of detail. Analytical procedures generally provide less reliable evidence than the tests of detail. Note also that analytical procedures are applied in several different audit stages, whereas tests of detail are only applied in the substantive testing stage.

Substantive analytical procedures Tests of details

Comparisons of financial statement amounts with an auditor's expectation.

Eg.

A comparison of actual interest expense for the year (a financial statement amount) with an estimate of what that interest expense should be. The estimate can be found by multiplying a reasonable interest rate times the average balance of interest bearing debt outstanding during the year (the auditor's expectation). If actual interest expense differs significantly from the expectation, the auditor explains the difference in audit

Direct tests of financial statement balances (substantive audit procedures) that are not analytical procedures.

Eg.

x selecting a sample of items from the major account balances, and finding hard evidence (e.g. invoices, bank statements) for those items.

x physically examining inventory on balance date as evidence that inventory shown in the accounting records actually exists (validity assertion);

x arranging for suppliers to confirm in writing the details of the amount owing at



documentation. balance date as evidence that accounts payable is complete (completeness assertion); and

x making inquires of management about the collectability of customers' accounts as evidence that trade debtors is accurate as to its valuation.

KEY KNOWLEDGE Audit sampling (ISA 530)

Audit sampling is the testing of less than 100% of the items within a population to obtain and evaluate evidence about some characteristic of that population, in order to form a conclusion concerning the population.

The use of audit sampling, on all audit assignments, offers innumerable benefits to all auditors. These include:

x developing a consistent approach to audit areas; x providing a framework within which sufficient audit evidence is obtained; x forcing clarification of audit thinking in determining how the audit objectives

will be met; x minimising the risk of over-auditing; and x facilitating more expeditious review of working papers.

It is crucial that the items selected should be representative, in order to be able to form a conclusion on the entire population. For if a test is applied only to those items which have a specific feature (e.g., all customers balances exceeding $20,000) this constitutes 100% examination of a sub-population (or selective testing of high-value items) and the results cannot be projected to the whole population.

Samples can be selected statistically (by using random selection and then applying the probability theory to the analysis of the results) or non-statistically if the sample is selected using any other method. Example of methods are:

x random selection; x systematic selection (eg. every 10th item is selected); x monetary unit selection (eg. every item containing the multiple of 100 dollar

is selected) x haphazard selection no structured technique applied by the auditor but

without bias



The size of the sample will depend on the level of sampling risk the auditor is willing to accept.

Sampling vs. non-sampling risk

Sampling risk is the risk that the auditors conclusion based on the sample is different to that which would be reached if the whole population was examined.

This may result in:

(a) the risk of incorrect rejection which arises when the sample indicates a higher level of errors than is actually the case. This situation is usually resolved by additional audit work being performed;

(b) the risk of incorrect acceptance when material error is not detected in a population because the sample failed to select sufficient items containing errors. Such errors should be detected by other complementary audit procedures.

Non-sampling risk is the component of detection risk that is not related to the fact that the auditor only tests a sample. Examples of sources of non-sampling risk include:

x failure to investigate significant fluctuations in relationships when placing reliance on analytical procedures;

x placing reliance on management representations as a substitute for other audit evidence that could reasonably be expected to be available;

x errors not detected due to allocating staff without appropriate skills or experience.

KEY KNOWLEDGE Computer assisted audit techniques (CAATs)

CAATs is the practice of using computers to automate or simplify the audit process. In the broadest sense of the term, CAATs can refer to any use of a computer during the audit.

CAATs is the practice of analyzing large volumes of data looking for anomalies. A well designed CAATs audit will not be a sample, but rather a complete review of all transactions. Using CAATs the auditor will extract every transaction the business unit performed during the period reviewed. The auditor will then test that data to determine if there are any problems in the data.

Another advantage of CAATs is that it allows auditors to test for specific risks. For example, an insurance company may want to ensure that it doesn't pay any claims after a policy is terminated. Using traditional audit techniques this risk would be very difficult to test. The



auditor would "randomly select" a "statistically valid" sample of claims (usually 30-50.) They would then check to see if any of those claims were processed after a policy was terminated. Since the insurance company might process millions of claims the odds that any of those 30-50 "randomly selected" claims occurred after the policy was terminated is extremely unlikely. Even if one or two of those claims was for a date of service after the policy termination date, what does that tell the auditor?

In practical terms the use of CAAT can take 2 major forms:

(a) Audit software the auditor uses a specialised software to facilitate sampling, data analysis, trend spotting, preparing reports and letters;

(b) Using test data the auditor feeds the companys system with test data containing errors. Subsequently the system is tested whether the errors were correctly addressed by the system and whether the data was rejected or treated in accordance with expectations.

KEY KNOWLEDGE Audit procedures

Cash

Risks

x Cash transactions may not be recorded accurately

x Cash may not exist

Steps

1. Confirm selected bank accounts and special arrangements

Select bank accounts for confirmation in order to obtain a moderate to low level of assurance that the aforementioned audit objectives are achieved. Bank confirmations should be sent to all banking relationships to identify accounts not included in the general ledger.

Confirmation requests should be sent under our control and, second requests and, where warranted, third requests should be mailed when responses to confirmation requests have not been received within a reasonable time.

Consider sending a special inquiry letter to ascertain the existence of special arrangements or restrictions, for example, compensating balance arrangements, security arrangements, written guarantees.



2. Review confirmation replies

For confirmations returned:

(a) agree account information and account balance to comparative summary;

(b) investigate all discrepancies reported or questions raised in review and determine whether any adjustments are necessary; and

(c) assess impact of special arrangements or restrictions identified and determine whether disclosure is appropriate.

3. Test accounts where there is no confirmation

In the unusual situation where we do not receive a bank confirmation and are willing to forego the receipt of the bank confirmation, consider performing the following procedures to obtain a high level of assurance that the aforementioned audit objectives are achieved:

(a) obtain subsequent month bank statement, bank reconciliation and supporting documentation. Consider obtaining information directly from the bank;

(b) test the mathematical accuracy of the bank reconciliation; (accuracy)

(c) trace outstanding items listed on the bank reconciliation to the subsequent month's bank statement and for those not traced, trace to the cash disbursements records for the period prior to the balance sheet date; (accuracy and existence/occurrence)

(d) trace deposits in transit listed on the bank reconciliation to the subsequent month's bank statement and for those not traced, trace to the cash receipts records for the period prior to the balance sheet date; (accuracy and existence/occurrence)

(e) obtain explanation for large, unusual reconciling items and trace to supporting documentation and/or entries in the cash records, as appropriate; (accuracy and existence/occurrence)

(f) review the date the above items cleared the bank or were recorded in the client's books to ensure appropriate recording period. Trace to supporting documentation as necessary; and (cut-off)

(g) investigate items such as, long outstanding items, dishonoured checks and significant adjustments in the subsequent month, and record adjustments as necessary. (accuracy and existence/occurrence)



4. Test bank reconciliations

Test bank reconciliation in order to obtain a moderate to low level of assurance that the aforementioned audit objectives are achieved by performing the following:

(a) test the mathematical accuracy of the reconciliation; (accuracy)

(b) trace book balances on the client's bank reconciliation to the comparative summary; (accuracy)

(c) trace bank balances on the client's bank reconciliation to the bank statement; (accuracy)

(d) test reconciling items on the bank reconciliation by performing the following:

i) obtain subsequent month bank statement and supporting documentation. Consider obtaining information directly from the bank;

ii) trace outstanding items listed on the bank reconciliation to the subsequent month's bank statement and for those not traced, trace to the cash disbursements records for the period prior to the balance sheet date; (accuracy and existence/occurrence)

iii) trace deposits in transit listed on the bank reconciliation to the subsequent month's bank statement and for those not traced, trace to the cash receipts records for the period prior to the balance sheet date; (accuracy and existence/occurrence)

iv) obtain explanation for large, unusual reconciling items and trace to supporting documentation and/or entries in the cash records, as appropriate; (accuracy and existence/occurrence)

v) review the date the above items cleared the bank or were recorded in the client's books to ensure appropriate recording period. Trace to supporting documentation as necessary; and (cut-off)

vi) investigate items such as, long outstanding items, dishonored checks and significant adjustments in the subsequent month, and record adjustments as necessary (accuracy and existence/occurrence).

(e) review client's bank reconciliation for review and approval by appropriate management and timely completion of reconciliation.

Account receivable

Risks

x The accounts receivable listing or individual balances may be inaccurate

x Accounts receivable balances may not exist



x Accounts receivable may not be collectible

x Bad debts write-offs may not be valid

x Sales transactions may be processed in the wrong period

Steps

1. Agree a detailed listing of accounts receivable to the summary

Obtain a detailed listing of accounts receivable balances (aged by customer, if possible) and:

(a) trace totals to the comparative summary of accounts receivable balances;

(b) select reconciling items in order to obtain a moderate to low level of assurance that accuracy is achieved and

i) trace these items to supporting documentation; and ii) determine whether the results of the client's investigations have been

reviewed and approved by a responsible official;

(c) test, to an extent to obtain a moderate to low level of assurance, the mathematical accuracy of the detailed listing; and

(d) if appropriate, examine support for any significant adjustments made throughout the year in reconciling detailed accounts receivable records with the account(s) in the general ledger.

2. Positively confirm selected accounts receivable balances

Select customers' account from the detail accounts receivable listing for positive confirmation in order to obtain a moderate to low level of assurance that the aforementioned audit objectives are achieved. Perform the following:

(a) send positive confirmation requests under our control. Where appropriate, send itemized statements to customers to facilitate responses. Second requests and, where warranted, third requests should be mailed when responses to positive confirmation requests have not been received within a reasonable time. When management requests us not to confirm certain accounts receivable balances, consider whether there are valid grounds for such a request. Before accepting a refusal as justified, examine any available evidence to support management's explanations.

(b) summarize confirmation coverage.



3. Review confirmation replies

For confirmations returned:

(a) agree account information and account balance to detail listing;

(b) reconcile the account detail between the returned confirmation and the detail listing, where applicable; and

(c) investigate all reconciling items and determine whether any adjustments are necessary.

4. Test accounts where there is no confirmation

When confirmation is not carried out, or where it is not possible to confirm a selected amount (including where confirmation requests are unanswered), select customer accounts from the detail accounts receivable listing for verification and perform the steps outlined below in order to obtain a moderate to low level of assurance that the aforementioned audit objectives are achieved.

(a) compare subsequent remittances credited to accounts with remittance advices or other receipts (e.g. deposit slips and bank statement) and ascertain that payments relate to the account balances;

(b) examine documentation such as shipping documents, copies of sales invoices, customer sales orders, and other relevant correspondence supporting the unpaid portion of the account balances. Coordinate this test with the review of the collectability of overdue accounts; and

(c) consider whether it is necessary to verify further the existence of the customer.

5. Assess adequacy of allowance for doubtful accounts

To an extent based upon materiality and inherent risk, assess the adequacy of allowance for doubtful accounts by performing the following procedures:

(a) obtain a list of accounts for which an allowance has been established. Review and test the process used by management to develop their estimate of collectability;

(b) where provisions are made by the use of formulae based on the aged listing, determine by reference to the details in our notes of the client's procedures whether the basis is:

i) consistent with prior years; ii) appropriate to the circumstances of the business; and iii) in accordance with the accounting policy;



(c) determine the effect, if any, of the client's policies and experiences regarding the timing of the passage of title, sales returns and allowances where right of return exists, and bill and hold situations; and

(d) discuss collectability with management and review other documentation supporting collectability as necessary.

6. Review bad debt write-offs

Review, in order to obtain a moderate to low level of assurance that valuation is achieved, bad debt write-offs by performing the following:

(a) consider the reasonableness of bad debt expense in light of the levels of bad debt write-offs compared with prior years; and

(b) examine documentation relating to write-offs during the period and determine whether the write-offs were properly authorized.

7. Test sales/accounts receivable cutoff

Accounts receivable cutoff testing is typically performed in conjunction with testing inventory cutoff and may be tested in the Inventory audit area. If cutoff is tested in the Accounts receivable audit area, perform the following:

Select sales and credit memoranda to obtain a moderate to low level of assurance that cutoff is achieved by reviewing the cutoff at the time of inventory taking and at year-end (if different) and performing the following:

(a) for selected sales for periods before and after the cutoff date, examine the related records of goods shipped and services performed to determine that the sales invoices are recorded as sales in the proper period;

(b) for selected credit (debit) memoranda for periods before and after the cutoff date, examine the related records of returns and claims from customers to determine that the credit (debit) memoranda are recorded in the proper period;

(c) determine whether there are unusually high volumes of returned goods after year-end; and

(d) consider unusual fluctuations in sales or return patterns before and after year-end and, if present, review for possible cutoff errors.

Inventory

Risks

x Inventory records may not be complete



x Inventory transactions may be processed in the wrong period

x Inventory items may not exist

x Inventory carrying values may not be realizable

Steps

1. Observe physical inventory

To an extent based on materiality and inherent risk, perform the following:

(a) inspect the premises to determine whether:

i) the arrangement of inventory is such that an accurate count is possible. ii) the inventory is in good condition with adequate storage space, and

whether items are properly packed or binned in a convenient manner for counting.

iii) scrap, obsolete, and damaged goods are adequately identified and segregated.

iv) inventory owned by third parties is adequately identified and segregated. v) inventories appear to be adequately safeguarded against access by

unauthorized persons and protected against deterioration.

(b) in observing physical inventory counts, determine whether:

i) the counts are carried out under proper supervision. Determine whether this official is independent of the custody and recording of inventory. Observe whether persons supervising the inventory make test counts in all areas and review all areas where inventory are kept to ensure that they have all been counted and the counts are recorded.

ii) appropriate procedures are employed to control inventory movements (e.g., transfers, stock picking, etc.) during the count.

iii) quantities and descriptions are properly entered on the inventory tags or sheets.

iv) the methods used to determine quantities are reasonably accurate. v) there are adequate procedures for determining quantities of goods not

susceptible to direct physical counting (e.g., screws, nails). vi) count totals are adequately checked by persons other than the original

counters. vii) there are adequate procedures to ensure that all inventory (other than that

on the company's premises owned by others) is counted and that no inventory is counted more than once.

viii) inventory on the company's premises owned by others has been appropriately identified and counted.



ix) tags or count sheets are signed by individuals carrying out the count, or other suitable means of identifying individuals carrying out the count have been established, such as assigning tags or count sheets to count teams.

(c) test the counting of inventory items by selecting items from the inventory tags or sheets and perform an independent count. Perform other counts of inventories and compare the results with those recorded on the inventory tags or sheets by company personnel. Follow up any differences noted in the counts. Record selected items counted for subsequent comparison with priced inventory listings. (Existence/Occurrence, Accuracy)

(d)

Date post:	12-Sep-2015
Category:	Documents
Upload:	alia-az
View:	218 times
Download:	5 times

ExPFIAFAU

Documents